6 Tips for Disaster Recovery Planning in Healthcare Organizations

by SEP Blog Team | Disaster Recovery, healthcare data protection

A disaster recovery plan is imperative for all businesses, however, some industries are more sensitive to downtime and have become the target of more to attacks. The healthcare industry processes and stores some of the most sensitive and meaningful data. Healthcare data can be highly valuable for cyber criminals and lost data can have wide reaching implications for patient health, provider success, medical research and disease prevention, and public health and safety.

Health 2017 Consumer Survey

We know that creating a disaster recovery plan is not a quick and easy task for anyone. Here are 6 tips to help you implement a successful data disaster recovery plan at your hospital, clinic, or healthcare facility.

Compile Your IT System Inventory

You wont' be able to cover all of your assets unless you know what they are and what impact they have on your organization. Begin by creating a list of application systems (EHR, PACS, etc.) so that you have a complete list of operations. Don’t forget to include things often overlooked such as executive dashboards, shared files, departmental file storage, patient portals, and your Intranet.

The goal is to walk away with:

  1. a complete understanding of the systems your organization has in use and
  2. a list that will become the foundation for your data recovery plan.

Conduct A Business Impact Analysis

Using your system inventory, conduct a Business Impact Analysis (BIA) on each application or system. You will need to aggregate information about each system, such as the vendor contract, hardware and software components, inbound and outbound interfaces, and priority of importance to your organization. The goal of collecting this information is to help you make a value assessment for each system. Decisions about your recovery strategy, i.e. which systems get priority during downtime, should be based on this analysis.

Determine RPOs and RTOs

Recovery Point Objectives will identify how far back you are willing to go to restore data from backups. Your BIA should include what the acceptable recovery point is for each system.

Recovery Time Objectives determine how quickly you’ll need to have the system back up and running. It is crucial to determine RTOs before downtime occurs because at that point, patient safety and care are on the line.

Different disaster recovery objectives will have to be a balancing act between your organization's expectations and budget. Typically, the shorter your recovery point and objective time, the higher the cost to implement a solution that meets the objectives.

Create a Contingency Plan

HIPAA requires contingency planning in case a natural disaster or cyber attack occurs. Check the HIPAA regulations to ensure your contingency plan is compliant. The U.S. Department of Health & Human Services offers tools like their audit program to help. Be proactive and take advantage their services.

Your disaster recovery plan must include a site identified for the relocation of a datacenter. Consult with other area business and government agencies as to what their plans are. This will help prevent multiple facilities from going to the same place during a disaster. Have a second and third site to save valuable time and confusion during the chaotic nature of a disaster and make sure you evaluate the infrastructure of alternate sites. These sites may have limitations and may require additional equipment or supplies.

Define the DR Plan

As you develop your disaster recovery plan, it is essential your plan is clearly recorded, unambiguous, and accessible. Make sure key components of the processes are clearly defined and universally understood by key players within and outside of the IT department. Depending on the disaster, your organization may be forced to depend on employees outside of your department.

Test Your Plan Against your Organization's Goals

Test your disaster recovery plan. Test it regularly against your organization's goals and against new threats. Test against natural disasters, phishing attacks, and ransomware. As you find issues or gaps, revise and re-test it. Remember that patient safety and care are going to be the number one goal during a disaster and remember that those goals might change as recovery efforts progress. The critical point is to get started now and be diligent about testing, improving, and updating your plan over time.

What plan do you have in place if a data breach or disaster strikes your healthcare facility? SEP Software is here to help! We can help you create, implement, and maintain DR best practices for your organization. For more information, contact us today.


SEP Backup & Disaster Recovery Free 30-Day Trial